You too can learn to be a password ninja!

About this site

This site was created by a software developer based in Bristol, UK. To make it easy for anyone with any level of IT knowledge to understand how to stay safe online by using strong and secure passwords.

Passwords are not a complicated thing, and knowing how to use them correctly shouldn't have to be either. There are many websites on the internet that will give you different advice on how to pick a good password, much of that advice is outdated and wrong.

The purpose of be-a-password.ninja is to provide clear and simple advice on how to pick and use a password, written using language that any English speaker can understand. If you have any thoughts on the content of this site please reach out to the creator on twitter.

Why do we need passwords?

You can use a username or an email address to identify yourself to a remote system such as facebook or twitter, however as a username is public information it does not verify your identity (anyone could type it in).

A password however is something secret that you and the remote system agree in advance to confirm your identity, using both the username and the password you and a remote system can agree on your identity.

If you ask any security expert they will likely be happy to tell you that passwords are flawed, they are however the default and currently most accessable form of identity verification we have. This is why it is so important that you pick a strong and unique password for each service (social media, email, bank, etc) that you use.

Strength with numbers!

A simple rule is the longer a password is the stronger it is; the more types of character in the password the larger the set of potential passwords becomes. The more possible passwords, the longer it will take for someone to guess or crack your password.

Password strength is based on entropy; the more types of character you use the higher the entropy. A single digit gives 10 options, a letter gives 26, upper and lower is 26x26=52, and symbols give 33. Taking an eight character password as an example:

Choosing a strong password

With the advent of social media (and everyone's habit of oversharing) it has become even easier to find out specifics about a person; who their parents are, where their first school was, their dogs name, or what their date of birth is. This means that you should never use personal information as part of your password, you should also keep this in mind when picking the answers to "secret questions" for password recovery or account management.

The easy way to come up with a good password is to pick a few words and form a sentence, by using proper punctuation you add in symbols (spaces, commas, full stops, etc) that increase the strength of your password. Sentences are also easier to remember than random strings of letters and numbers. You can also use this tactic to create custom passwords for each site, choosing sentences that remind you of the website (just don't use these!):

Facebook: "Picture face on the wall!"

Twitter: "The little blue bird sings!"

Email: "Read messages inbox full!"

Choosing passwords which are made up of sentances increases both the strengh of your password but also your ability to remember a string password, the sentances above are a lot easier to remember than a random string of characters.

Awesome Passwords

An awesome password is the one that even you can't remember! It seems silly to pick a password that you can't remember, but that is the only way to pick a truly strong password.

Picking a random 30 character password with all the character types gives you a total of 216,922, 155,048,713,498,504,350, 916,418,738,969,077,524, 590,365,430,142,017,120 possible passwords, no one is going to guess or crack that any time soon! The only way that you are going to remember any passwords this strong is to use a password manager; a system which keeps track of all your passwords in a way that only you can access them.

Password managers act like a digital safe keeping a record of every password you use and on which site you use it; this way you only have to remember one password and you can make it a strong one. The password to your password manager should be a long sentence with several words and additional digits/symbols such as:

What is a password manager?

A password manager stores all your login information (usernames and passwords) for each website that you use; you can use the most complex password a website will allow without having to remember it. The credentials you store in a password manager are generally secured with an extra strong password, the last password you need to remember! Along with the master password, you will often require an additional encryption value to access the password manager for the first time on a new system.

Most password managers also come with a browser, mobile, and desktop applications to ensure you always have access to your stored credentials. Some are free and some come with a monthly fee attached, but for the price of a cup of coffee, you can drastically increase your online security. Along with credential storage, some offerings come with extra features such as the 1Password Watch Tower which checks your accounts against Have I Been Pwned dataset.

Which password manager?

There are a number of password managers available (1password.com, lastpass, dashlane, etc)
all of which have, as with any software, their benefits and drawbacks. Personally (@jamesakadamingo)
I use 1Password.com; I selected it after a lot of research and on the advice of some notable
security professionals (Troy Hunt and Scott Helme to name two). You can read all about 1password.com
over on their website.

What not to do next!

The advice used to be 'passwords are like pants, keep them private and change them reguarly', unfortunatly changing passwords at set intervals encourages bad habits. People end up appending the year or month to their chosen password, or following some other predictable path.

Never write your password down, might not be such great advice! The best password is one that you can't remember, a password manager deals with this for you but not everyone is suited to a password management application. For an elderly person who only uses their computer at home a password book might not be such a bad idea (just make sure it is kept hidden away from the computer).

Have I Been Pwned?

Have I Been Pwned (or HIBP for short) is a service run by the security expert Troy Hunt; it has been recognised by many news outlets and is utilised by several government agencies.

HIBP is a free resource which allows any user to check if their email address (or domain) has been found in any data-breaches. Troy puts in the effort to locate and catalogue the data-breaches which happen every week, notifying any subscribers to the website each time their email address appears in a breach.

Although not actually related to passwords, subscribing to HIBP is one of the steps to becoming a password ninja! If an account is breached then it is possbile it's password was too, and it needs to be changed. Visit https://haveibeenpwned.com to find out more.

Multi-Factor Authentication

Multi-Factor Authentication (MFA, or sometimes known as two factor authentication (2FA)) is an additional method of confirming an identity. On top of entering a password you enter a numeric code from a device you have (such as your smart-phone), the code changes at set intervals known to the server and device.

By using a second peice of information to authenticate you ensure that a breached password does not leave the account open to intruders, any attacker will need access to the phyiscal token generator alongside the breached password.

Check out TwoFactorAuth.org to find a list of sites/applications which are known to support multi-factor authentication.

About be-a-password.ninja

This website (be-a-password.ninja) was a weekend project by
@jamesakadamingo.

James a software developer from the South-West of England; working mostly work in .NET (c#) creating desktop, web, service, and backend software for the Legal and Health markets.